Christopher Paidhrin, security administration manager at PeaceHealth, a healthcare provider in the Pacific Northwest, says the entire security community has been "laser focused" on the Heartbleed bug.

"The scope and potential depth of compromise should remind all of us how interdependent we are on trust controls," he says.

Paidhrin says PeaceHealth was not exposed to the vulnerability because it does not use any of the vulnerable platforms. "Still, we checked to be sure. We have a checklist for this vulnerability. We do partner with many others, so we have been cautious to validate the exposure of our peers, partners, vendors and customers," he says.

"PeaceHealth is reaching out to our strategic partners to confirm our shared remediation status. Most of our partners share our concern and have taken steps to address this event."

Three Steps

Elayne Starkey, chief security officer for the State of Delaware, says her department responded in three steps. "Step one was to learn everything we could about it," she says. "Step two was to test our public-facing websites and identify what needed attention."

A Top Concern

The Heartbleed issue is a top concern at the University of Pittsburgh Medical Center, says CISO John Houston.

"It is an OpenSSL issue that is very broad in scope," he says. "We have been actively assessing the issue and have determined that many of our systems are not affected. For those systems that are affected, we are developing plans to remediate the issue."

Houston says his organization is also implementing a signature on its network traffic scanner to actively watch for malicious traffic.

A security leader at a major southeastern bank, who asked not to be identified, says the institution's first action upon learning about Heartbleed was to examine its Internet-facing services to determine if there was exposure. "Fortunately, there was not," he says. "We then began scanning our internal network for systems which were potentially vulnerable."

Based on its investigation, the institution found internal servers that were susceptible to the exploit, as well as additional low-level systems, such as printers. "We continue to work with the vendors to receive patches and replace the OpenSSL certificates which could potentially be compromised."

Kennet Westby, president at the risk management consulting firm Coalfire, says that a number of its internal platforms were affected by the bug. Additionally, two service providers and a remote access client were affected. "All of these have been addressed, patched and validated secure," he says.

Coalfire immediately initiated an internal alert as soon as information about the vulnerability was released. "Initial steps were to inventory any systems, applications or service providers where we could identify the use/integration of the vulnerable version of OpenSSL," Westby says. "We incorporated discovery and scanning tools to assist with this process as these checks were released."

Westby says the company will continue to focus on reducing the risk of any compromise by changing all account passwords in its internal systems, updating all SSL keys and certificates that could have been compromised and encouraging all users to change passwords with external service providers' services.

Heartbleed Updates

Technology companies Cisco and Juniper Networks, along with several other vendors, issued alerts about which of their products are vulnerable to the Heartbleed bug (see: Cisco, Juniper Issue Heartbleed Alerts).

Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software," says Codenomicon, the Finland-based security vendor that discovered the bug, along with a researcher at Google Security.

Codenomicon says Fixed OpenSSL has been released and needs to be deployed now across websites vulnerable to the bug. Additionally, organizations can use an online tool to see if their website is vulnerable.

About the Author

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;